/*
 * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.springframework.security.openid;

import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.core.authority.mapping.NullAuthoritiesMapper;
import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.util.Assert;

/**
 * Finalises the OpenID authentication by obtaining local authorities for the
 * authenticated user.
 * <p>
 * The authorities are obtained by calling the configured {@code UserDetailsService}. The
 * {@code UserDetails} it returns must, at minimum, contain the username and
 * {@code GrantedAuthority} objects applicable to the authenticated user. Note that by
 * default, Spring Security ignores the password and enabled/disabled status of the
 * {@code UserDetails} because this is authentication-related and should have been
 * enforced by another provider server.
 * <p>
 * The {@code UserDetails} returned by implementations is stored in the generated
 * {@code Authentication} token, so additional properties such as email addresses,
 * telephone numbers etc can easily be stored.
 *
 * @author Robin Bramley, Opsera Ltd.
 * @author Luke Taylor
 */
public class OpenIDAuthenticationProvider
		implements AuthenticationProvider, InitializingBean {
	// ~ Instance fields
	// ================================================================================================

	private AuthenticationUserDetailsService<OpenIDAuthenticationToken> userDetailsService;
	private GrantedAuthoritiesMapper authoritiesMapper = new NullAuthoritiesMapper();

	// ~ Methods
	// ========================================================================================================

	public void afterPropertiesSet() {
		Assert.notNull(this.userDetailsService, "The userDetailsService must be set");
	}

	/*
	 * (non-Javadoc)
	 *
	 * @see
	 * org.springframework.security.authentication.AuthenticationProvider#authenticate
	 * (org.springframework.security.Authentication)
	 */
	public Authentication authenticate(final Authentication authentication)
			throws AuthenticationException {

		if (!supports(authentication.getClass())) {
			return null;
		}

		if (authentication instanceof OpenIDAuthenticationToken) {
			OpenIDAuthenticationToken response = (OpenIDAuthenticationToken) authentication;
			OpenIDAuthenticationStatus status = response.getStatus();

			// handle the various possibilities
			if (status == OpenIDAuthenticationStatus.SUCCESS) {
				// Lookup user details
				UserDetails userDetails = this.userDetailsService
						.loadUserDetails(response);

				return createSuccessfulAuthentication(userDetails, response);

			}
			else if (status == OpenIDAuthenticationStatus.CANCELLED) {
				throw new AuthenticationCancelledException("Log in cancelled");
			}
			else if (status == OpenIDAuthenticationStatus.ERROR) {
				throw new AuthenticationServiceException(
						"Error message from server: " + response.getMessage());
			}
			else if (status == OpenIDAuthenticationStatus.FAILURE) {
				throw new BadCredentialsException(
						"Log in failed - identity could not be verified");
			}
			else if (status == OpenIDAuthenticationStatus.SETUP_NEEDED) {
				throw new AuthenticationServiceException(
						"The server responded setup was needed, which shouldn't happen");
			}
			else {
				throw new AuthenticationServiceException(
						"Unrecognized return value " + status.toString());
			}
		}

		return null;
	}

	/**
	 * Handles the creation of the final <tt>Authentication</tt> object which will be
	 * returned by the provider.
	 * <p>
	 * The default implementation just creates a new OpenIDAuthenticationToken from the
	 * original, but with the UserDetails as the principal and including the authorities
	 * loaded by the UserDetailsService.
	 *
	 * @param userDetails the loaded UserDetails object
	 * @param auth the token passed to the authenticate method, containing
	 * @return the token which will represent the authenticated user.
	 */
	protected Authentication createSuccessfulAuthentication(UserDetails userDetails,
			OpenIDAuthenticationToken auth) {
		return new OpenIDAuthenticationToken(userDetails,
				this.authoritiesMapper.mapAuthorities(userDetails.getAuthorities()),
				auth.getIdentityUrl(), auth.getAttributes());
	}

	/**
	 * Used to load the {@code UserDetails} for the authenticated OpenID user.
	 */
	public void setUserDetailsService(UserDetailsService userDetailsService) {
		this.userDetailsService = new UserDetailsByNameServiceWrapper<>(
				userDetailsService);
	}

	/**
	 * Used to load the {@code UserDetails} for the authenticated OpenID user.
	 */
	public void setAuthenticationUserDetailsService(
			AuthenticationUserDetailsService<OpenIDAuthenticationToken> userDetailsService) {
		this.userDetailsService = userDetailsService;
	}

	/*
	 * (non-Javadoc)
	 *
	 * @see
	 * org.springframework.security.authentication.AuthenticationProvider#supports(java
	 * .lang.Class)
	 */
	public boolean supports(Class<?> authentication) {
		return OpenIDAuthenticationToken.class.isAssignableFrom(authentication);
	}

	public void setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper) {
		this.authoritiesMapper = authoritiesMapper;
	}
}
